Responsible Disclosure

Contact

🛡️ Report a Vulnerability

Opens a new email addressed to our security contact with the subject pre-filled.

Scope

The following are in scope for this policy:

• The TimeToWarp web application at timetowarp.com and all subpaths and subroutes, including the /_navigator iframe shell, the /sites/ generated parody pages, the /archive/ SEO landings, the /admin/ endpoints, and the /api/ endpoints.
• Authentication and authorization (admin panel Basic Auth, abuse-form CAPTCHA, rate-limit bypass, brute-force protection, etc.).
• SSRF, XSS, CSRF, SQL injection, command injection, path traversal, and similar injection vulnerabilities anywhere in the request pipeline or in the AI generation pipeline.
• Vulnerabilities in our content-policy gate (Levels 1–5) that allow blocked content through to publication.
• Bypass of the DMCA repeat-infringer ban (IP and cookie evasion techniques that do not require ordinary VPN use).
• Bypass of the OFAC geo-block, where the bypass would let requests from sanctioned jurisdictions reach the application.
• Vulnerabilities in our chat and abuse-report endpoints.
• Information disclosure (PII leaks, secrets in responses, debug data exposure, source-map leaks of sensitive code).

The following are out of scope:

• Denial-of-service or volumetric attacks (including Slowloris, amplification, resource exhaustion at the application layer).
• Social engineering of TimeToWarp staff, contractors, or users.
• Physical security of our hosting providers.
• Vulnerabilities in third-party services we depend on (Cloudflare, DigitalOcean, Anthropic, OpenAI, Google, etc.) — please report those directly to the affected vendor.
• Self-XSS that requires the user to paste code into their own browser console or developer tools.
• Missing security headers without a demonstrable impact (CSP refinement requests, additional HSTS preload entries, etc.).
• Username enumeration via the admin login (the admin panel uses HTTP Basic Auth and is rate-limited).
• Generated 1998-style parody pages intentionally using deprecated or historically insecure HTML constructs (this is by design — see our Terms of Service).
• Reports based solely on outdated software versions where no demonstrable exploit exists.

What we ask of you

• Report the issue privately to serge.kulnev@gmail.com before any public disclosure.
• Give us a reasonable amount of time to investigate and fix the issue before disclosing it publicly. We aim for 90 days; complex issues may need more.
• Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service.
• Only interact with accounts you own, or with the explicit permission of the account holder.
• Do not run automated scanners against the production environment without prior coordination — automated scanner traffic is indistinguishable from a real attack and will trigger blocks.
• Do not exfiltrate, retain, or share any personal data you encounter while testing. If you stumble across user data, stop, document only what is necessary to demonstrate the issue, and tell us immediately.

What you can expect from us

• Acknowledgement of your report within 72 hours.
• Initial triage and severity assessment within 7 days.
• Regular updates on remediation progress (at least every 14 days for active issues).
• Credit in our acknowledgements section below if you wish.
• No legal action against good-faith security researchers acting in compliance with this policy (see Safe Harbor).

Hall of fame

Researchers who have made a responsible disclosure to TimeToWarp:

• (empty — be the first!)

Safe Harbor

Security research conducted in good faith and in accordance with this policy is considered authorised and lawful by TimeToWarp. We will not pursue civil or criminal action against you for activities that comply with this policy, including:

• Claims under the U.S. Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030) for accessing the TimeToWarp application without further authorisation, where that access is incidental to good-faith research permitted by this policy.
• Claims under the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA, 17 U.S.C. §1201) for bypassing technological protection measures, where doing so is necessary to demonstrate a vulnerability covered by this policy.
• Claims under analogous state computer-misuse statutes, to the extent we are entitled to waive them.

If you have any uncertainty about whether a particular activity is authorised under this policy, please contact us at serge.kulnev@gmail.com before proceeding. We would much rather answer a question than receive a surprise.

This safe-harbor commitment does not extend to third-party services we use (Cloudflare, DigitalOcean, Anthropic, OpenAI, Google, etc.). Always check the third-party vendor's own disclosure policy before testing anything that touches their infrastructure.

This safe harbor also does not authorise activities that would violate laws unrelated to computer access — for example, we cannot waive criminal liability for theft, extortion, or knowingly accessing data of third parties for purposes unrelated to security research.

This responsible-disclosure policy was drafted based on industry-standard templates (disclose.io, GitHub Security Lab, Bugcrowd Standard Disclosure Terms). It has not been independently reviewed by legal counsel and should not be construed as legal advice.